Jonas Finnemann Jensen
jonasfj
jonasfj
/ relengapi_taskcluster.py
| import requests | |
| from relengapi.lib.permissions import p | |
| def scope_satisfied(req, scopes): | |
| """ | |
| Returns true, if scopes satisfies req | |
| """ | |
| return any(( | |
| s == req or (s.endswith('*') and req.startswith(s[:-1])) for s in scopes | |
| )) |
jonasfj
/ yubikey-setup.txt
| Decent links: | |
| * https://github.com/drduh/YubiKey-Guide | |
| * https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ | |
| * http://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/ | |
| * Or just google for gpg, yubikey, ssh, there is a lot of guides. | |
| ## The GPG setup |
| #!/bin/bash | |
| # This script expects AWS credentials: | |
| # SIGNIN_AWS_ACCESS_KEY_ID | |
| # SIGNIN_AWS_SECRET_ACCESS_KEY | |
| # And optionally the TOTP entry name in your yubikey | |
| # SIGNIN_AWS_YUBIKEY_OATH_NAME | |
| # Put these environment variables into your .bashrc.local (or .bashrc, if you | |
| # don't sync dot-files). In your .bashrc you'll also want: | |
| # alias signin-aws='eval `signin-aws`' |
Example task: https://tools.taskcluster.net/groups/FxNyHL2oRnWBFzWUdqIkGQ/tasks/FxNyHL2oRnWBFzWUdqIkGQ/details
This works with any clientId/accessToken that has the scope: assume:project:autophone:custom-worker-scopes
Notice, that you can take the scopes from that role and make them more specific, so workers have fewer permissions.
jonasfj
/ jsone-light.js
| import _ from 'lodash'; | |
| import assert from 'assert'; | |
| // Render string given context | |
| let renderString = (value, context) => { | |
| return value.replace(/\${([^}]+)}/g, (expr, key) => { | |
| if (context[key] === undefined) { | |
| throw new Error('Undefined variable referenced in: ' + expr); | |
| } | |
| if (!_.includes(['number', 'string'], typeof(context[key]))) { |
jonasfj
/ actions-utils.js
| import _ from 'lodash'; | |
| import Ajv from 'ajv'; | |
| import assert from 'assert'; | |
| import taskcluster from 'taskcluster-client'; | |
| let data = {}; // TODO: Load actions.json from decision task | |
| if (data.version > 1) { | |
| throw Error('Unsupported version of public/actions.json'); | |
| } |
jonasfj
/ actions-schema.yml
| $schema: http://json-schema.org/draft-04/schema# | |
| id: https://hg.mozilla.org/mozilla-central/raw-file/tip/taskcluster/docs/actions-schema.yml | |
| title: Schema for Exposing Actions | |
| description: | | |
| This document specifies the schema for the `public/actions.json` used by | |
| _decision tasks_ to expose actions that can be triggered by end-users. | |
| For the purpose of this document the _consumer_ is the user-interface that | |
| displays task results to the end-user and allows end-users to trigger actions | |
| defined by `public/actions.json`. A _consumer_ might be Treeherder. |
jonasfj
/ simple-expression-language
| { | |
| // Save parse options as context | |
| var context = options; | |
| } | |
| Expression | |
| = _ e:LogicalExpression _ { return e; } | |
| LogicalExpression | |
| = l:ComparisonExpression _ '||' _ r:LogicalExpression { return l || r; } |
| { | |
| "id": "http://schemas.taskcluster.net/common/v1/cot.json#", | |
| "$schema": "http://json-schema.org/draft-04/schema#", | |
| "title": "Chain of Trust Artifact", | |
| "description": "COT-artifact for verfication of tasks", | |
| "type": "object", | |
| "properties": { | |
| "chainOfTrustVersion": {"enum": [1]}, | |
| "artifacts": { | |
| "additionalProperties": { |
taskId of the loaner task